The Hacker News — Cyber Security, Hacking, Technology News

Exclusive — If you have an account on Taringa, also known as "The Latin American Reddit," your account details may have compromised in a massive data breach that leaked login details of almost all of its over 28 million users.

Taringa is a popluar social network geared toward Latin American users, who create and share thousands of posts every day on general interest topics like life hacks, tutorials, recipes, reviews, and art.

The Hacker News has been informed by LeakBase, a breach notification service, who has obtained a copy of the hacked database containing details on 28,722,877 accounts, which includes usernames, email addresses and hashed passwords for Taringa users.

The hashed passwords use an ageing algorithm called MD5 – which has been considered outdated even before 2012 – that can easily be cracked, making Taringa users open to hackers.

Wanna know how weak is MD5?, LeakBase team has already cracked 93.79 percent (nearly 27 Million) of hashed passwords successfully within just a few days.

LeakBase has shared a dump of 4.5 million Taringa users with The Hacker News to help us verify the authenticity of the leaked database.

Using email addresses in the dump, we contacted a few random Taringa users with their plain text passwords, who acknowledged the authenticity of their credentials.

The data breach reportedly occurred last month, and the company then alerted its users via a blog post, sharing more information about the incident.

"It is likely that the attackers have made the database containing nicks, email addresses and encrypted passwords. No phone numbers and access credentials from other social networks have been compromised as well as addresses of bitcoin wallets from the Taringa program! Creators." the post (translated) says.

"At the moment there is no concrete evidence that the attackers continue to have access to the Taringa code! and our team continues to monitor unusual movements in our infrastructure."

To protect its users, Taringa is currently sending a password reset link via an email to its users as soon as they access their account with an old password.

One of the contacted users has also shared a screenshot of the notice with The Hacker News, as shown above.

"We've made a massive password reset strategy and also increased the encryption of the passwords from MD5 to SHA256. We've also been in contact with our community via our customer support team," a Taringa spokesperson told The Hacker News.

Leaked Database Analysis

Here below we have a brief analysis of the leaked database, which suggests that even after countless warnings, most people are continuously using deadly-simple passwords to safeguard their most sensitive data.

As you can see in the image given below, LeakBase team managed to crack 26,939,351 out of 28,722,877 passwords hashed using the MD5 algorithm, out of which over 15 Million were unique passwords.

The vast majority of the cracked passwords were alpha and lower case alpha and did not contain any special characters or symbols.

Here below we have the list of most popular/common passwords chosen by Taringa users that also includes top worst passwords such as 123456789, 123456, 1234567890, 000000, 12345, and 12345678.

The most popular length of the password was six characters long, followed closely by eight characters, nine and ten characters. Expectedly, the percentages drop drastically as you go higher in length.

Besides the cracked passwords, LeakBase also take a look at the email addresses contained in the leaked data dump, and the most common email domains are as follows:

Not completely. It's also the fault of the company, who failed to enforce a strong password policy on their users, eventually allowing them to sign up with weak passwords.

After data breaches, the organisations tend to blame the end users for poor password security, but they forget to provide them one.

So far, it has not been clear who is behind the attack on Taringa, neither how the attackers managed to breach into its servers.

Meanwhile, in a separate news,we reported about an unknown hacker selling personal details on more than 6 million high-profile Instagram accounts on an online website, Doxagram, after the hacker breached the Facebook-owned photo sharing service using a flaw in its API.

How to Help Protect Yourself from Data Breaches

Of course, if you are one of those potentially affected users, you are strongly recommended to change your passwords immediately.

Also, change passwords for other online accounts for which you are using the same password as for Taringa account.

Even if any website allows you to create an account with a weak password, you should always choose a complex password. Use a good password manager, if you find following best practices difficult.

Moreover, avoid clicking on any suspicious link or attachment you received via an email and providing your personal or financial information without verifying the source correctly.

Until now, our privacy has been violated by many big Internet Services, including Google who uses our personal information for the advertising purposes and this is exactly how the companies handle the mass of personal data we provide them. But, recent report about another big giant Microsoft shows that it omits almost all other privacy aspects, as it targets ‘Integrity’ of our data.

To hold on our large data, having backups is always a good idea and many of us prefer cloud-based backup solutions such as Google Drive, Dropbox, Box, RapidShare, Amazon Cloud Drive to store and secure our personal data. But, unfortunately with Microsoft OneDrive storage service, it doesn’t work.

Microsoft fails to deliver integrity to its users as Microsoft's OneDrive for Business cloud-based storage service has been modifying users' files when they are uploading to Cloud storage, according to an Ireland based Storage technology researcher Seán Byrne, who posted about it in a Myce blog post.

This is not with all Cloud storage services as Byrne tested Google Docs, DropBox, and even the consumer version of OneDrive, and found no modifications or changes in the files synced between local and Cloud sources, which implies that the files stored on the cloud and the original files were exactly the same with no alteration.

However, the same is not with the case of Microsoft’s OneDrive for Business, he found that the stored files were different from the original one. He created some test PHP and HTML files and was able to verify that OneDrive altered these files with new code during syncing.

To test if this was a when-off error, he used MD5summer tool to create MD5 hashes of synced content and discovered that most of the files returned “Checksum did not match” errors, as Microsoft is injecting uniquely identifiable code into some files.

Why Microsoft is altering files on OneDrive for Business, is not documented anywhere by the company, but the revelation has again raised doubts about the integrity with Microsoft.

Meanwhile, learn how you can encrypt your files before uploading them to any Cloud Storage.

Today Microsoft has released Security Bulletin Advanced Notification for February 2014 Patch Tuesday. The notification dictates five bulletins out of which two have critical Remote Code Execution and rest are important in aspect to severity of security flaw.

A Remote Code Execution vulnerability has been found in Security software of Microsoft i.e. Forefront Protection 2010 for Exchange Server, but this time there will be no new bulletins for Internet Explorer.

Not only this, users of Windows 7, Windows Server 2008 R2, Windows 8 and Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1 are also advised to patch their systems in order to protect themselves from being a victim of malicious code which is exploiting Remote code execution vulnerability.

Except the remote code execution, Microsoft is going to release patches for privilege escalation, information disclosure, and denial of service security flaws in Windows operating system. Privilege escalation is also marked important for .NET framework of Microsoft.

In August 2013 advisory, Microsoft announced: “The availability of an update for supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT that restricts the use of certificates with MD5 hashes. This restriction is limited to, certificates issued under roots in the Microsoft root certificate program. Usage of the MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.”

On the coming patch Tuesday, Microsoft will deprecate MD5 hash for signing certificates for server authentication, code signing, and time stamping and will use SHA-2 for signing such certificates. But updates have already been released to test the impact of it for about six months.

Popular Mac news and information site MacRumors user forums have been breached by hackers on Monday this week.

More than 860,000 usernames, emails and hashed passwords were potentially compromised. Users are advised to users that they change their passwords on the forums, as well as any other sites or services where the same password has been used.

MD5 with or without salt, to be an inadequate means of protecting stored passwords. Back in 2012, the original author of the MD5 password hash algorithm has publicly declared that MD5 is no longer considered safe to use on commercial websites.

u

The owner of the site, Arnold Kim, apologized for the intrusion and said that it occurred because the hacker gained access to a moderator account, which then allowed the intruder to escalate their own privileges with the goal of stealing user login credentials.

"We are looking into it further to see if there was another exploit, but there hasn't been any evidence of it yet."

He said the site had been hacked in a similar manner to the Ubuntu forums in July, where attackers defaced the site and accessed the user database. At the time, the site claimed to have over 1.8 million registered members.

“We are still working to get the forums fully functional and more secure,”

He said, according to the Log file, so far indicate that the intruder tried to access the password database, but there are no indications that the passwords are circulating online in any form.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

This week Microsoft has released several advisories to help their users update from weak crypto. Microsoft is beginning the process of discontinuing support for digital certificates that use the MD5 hashing algorithm and to improve the network-level authentication for the Remote Desktop Protocol.

Microsoft Security Advisory 2661254: The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Microsoft Security Advisory 2862973: Microsoft is announcing the availability of an update for supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT that restricts the use of certificates with MD5 hashes. This restriction is limited to certificates issued under roots in the Microsoft root certificate program.

They are available for testing now so that when they are automatically deployed in February 2014. "We plan to release this update broadly through Windows Update on February 11, 2014 after customers have a chance to assess the impact of this update and take necessary actions in their enterprise."

In June an update set the minimum key length of RSA keys to 1024 and this week these new updates announce to restrict the use of MD5 in digital certificates that are part of the Microsoft Root Program.

"These updates are meant to enhance customer privacy and security. Strong cryptography improves the functionality of signing features which allow users to validate the source and trustworthiness of the content. It also improves the functionality of the underlying cryptography algorithms, increasing the cost of attacker efforts to perform content spoofing, man-in-the-middle (MiTM), and phishing attacks."

The MD5 cryptographic hash function has long been considered insecure for use in SSL certificates and digital signatures. “Microsoft seems to be going after less secure encryption techniques, and that’s a good thing for Microsoft to start eliminating them from the landscape, especially MD5,” said Lamar Bailey, director at Tripwire.

In 2008, a team of security researchers demonstrated a practical attack that involved exploiting a known MD5 weakness to generate a rogue CA certificate trusted by all browsers. "Usage of the MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks," Microsoft said.

Microsoft recommends that customers download, test, and apply the update at the earliest opportunity.

The Password serves to protect your financial transactions, your social networking sites, and a host of other nominally secure websites online. People often say, "don't use dictionary words as passwords. They are horribly unsecure", but what if hackers also managed to crack any 16 character password ?

Criminals or trespassers who want to crack into your digital figurative backyard will always find a way. A team of hackers has managed to crack more than 14,800 supposedly random passwords from a list of 16,449 converted into hashes using the MD5 cryptographic hash function.

The problem is the relatively weak method of encrypting passwords called hashing. Hashing takes each user's plain text password and runs it through a one-way mathematical function. This creates a unique string of numbers and letters called the hash.

The article reports that, using a commodity computer with a single AMD Radeon 7970 graphics card, it took him 20 hours to crack 14,734 of the hashes, a 90-percent success rate using Brute force method. Brute-force attacks is when a computer tries every possible combination of characters.

In December it was unveiled by Jeremi Gosney, the founder and CEO of Stricture Consulting Group, that a 25-computer cluster can cracks passwords by making 350 billion guesses per second. It can try every possible word in less than six hours to get plain text passwords from lists of hashed passwords.

Using passwords that contained only numbers, 12 digits long, hackers managed to bruteforce such 312 passwords in 3 minutes. Anyway password doesn't have to be a word at all. A whole phrase or sentence, a passphrase, offers more security. A correctly chosen passphrase is easy for you to remember but difficult for anyone else to guess.

Also the strongest password in the world isn't secure if you use it for every one of your secure sites. If one site is compromised and hackers are able to crack your password and you've reused it they could then gain access to your details on other websites.

The general public has no control over which hashing process websites use and therefore are at the mercy of an algorithm which they may know nothing about. If you are concerned about security, long passwords are the best defense.

Few weeks after the discovery of the sophisticated cyber espionage campaign against principal US media The Mandiant® Intelligence Center™ released an shocking report that reveals an enterprise-scale computer espionage campaign dubbed APT1. The term APT1 is referred to one of the numerous cyber espionage campaign that stolen the major quantity of information all over the world.

The evidences collected by the security experts link APT1 to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398) but what is really impressive is that the operation have been started in the distant 2006 targeting 141 victims across multiple industries.

During the attacks the attackers have took over APT1 malware families and has revealed by the report APT1′s modus operandi (tools, tactics, procedures) including a compilation of videos showing actual APT1 activity.

The Mandiant has also identified more than 3,000 indicators to improve defenses against APT1 operations and is releasing a specific document that will address them including APT1 indicators such as domain names, IP addresses, and MD5 hashes of malware.

APt1 has systematically stolen hundreds of terabytes of data from victim organizations and has demonstrated the capability and intent to steal from dozens of organizations simultaneously. APT1 is a persistent collector, once APT1 has established access, they periodically access to victim’s network stealing sensible information and intellectual property for a long time, typically maintaining access to victim networks for an average of 356 days.

The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.

Mandiant managers have decided to make an exception to its traditional non-disclosure policy due the risks related to the imposing cyber espionage campaign and its impact on global economy, many states and related industries are victims of the offensive.

Following a meaningful declaration of the security firm:

“It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively. The issue of attribution has always been a missing link in the public’s understanding of the landscape of APT cyber espionage. Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches.”